Zendesk Support and Data Protection – What Website Operators Need to Know

If a website operator uses Zendesk for customer support and live chat, they process contact data (name, email, phone, support inquiry), chat messages and ticketing data for the purpose of customer communication and support handling on the basis of legitimate interests and, where applicable, contract performance. Zendesk International Ltd, Dublin, Ireland, acts as a processor and not as a controller – the website operator bears the main responsibility for the data processing.

This guide is aimed at website operators who use Zendesk Support, Zendesk Chat or Zendesk Ticketing and therefore need a GDPR-compliant privacy policy.

A. Purpose and Function of Zendesk

Zendesk is a cloud-based customer support platform with several functional modules:

• Zendesk Support (Ticketing): Website visitors submit support requests via a form or email; the website operator manages these tickets in a Zendesk dashboard
• Zendesk Chat (Live Chat): A live chat widget on the website enables direct communication between visitor and support agent in real time
• Zendesk Messaging: Messaging via WhatsApp, SMS, Messenger and other channels
• Knowledge Base: Public FAQ and self-service articles

The typical integration takes place via:

1. Chat widget: A JavaScript snippet on the website displays a small chat window
2. Support form: A contact form sends inquiries to Zendesk
3. Email integration: Support inquiries can also be submitted by email

When in use, contact and communication data is transmitted to the Zendesk servers, where it is stored, searched and analyzed in a ticketing system.

B. Mandatory Disclosures in the Privacy Policy regarding Zendesk

The GDPR requires for every processor: purposes (Art. 13(1)(c)), legal bases (Art. 13(1)(a)), categories of recipients (Art. 13(1)(e)), third-country transfers (Art. 13(1)(f), if relevant) and storage duration (Art. 13(2)(a)).

Perspective on Zendesk integration: Many website operators only write about Zendesk »Zendesk processes support requests« – this is too short and not meaningful. Instead, the following should become clear:

• Who is Zendesk (processor in Dublin)?
• What data flows (name, email, chat content)?
• What purpose (support handling, ticketing)?
• What legal basis (legitimate interests, possibly contract)?
• Where is data processed (server locations)?

Better: A topic-oriented section »Customer communication and support« with a list of all support tools (Zendesk, mail, phone).

C. Provider of Zendesk: Zendesk International Ltd

Legal name: Zendesk International Ltd

Address: 55 Charlemont Place, Saint Kevin's, Dublin D02 F985, Ireland

Country of seat: Ireland (European Union / EEA)

Privacy policy: https://www.zendesk.com/company/agreements-and-terms/privacy-policy/

DPF status: Zendesk International Ltd is an EU company (Ireland) and is not subject to the Data Privacy Framework. The DPF only applies to US companies. However, Zendesk uses Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC) for third-country transfers to Zendesk companies and subprocessors in the USA.

Data Processing Agreement (DPA): Zendesk offers a standardized Data Processing Agreement (DPA). This is available at https://www.zendesk.com/company/data-processing-agreement/ and can be signed electronically. The DPA regulates:

• Zendesk's role as processor (Art. 28 GDPR)
• Subprocessor management
• Security measures (encryption, access control)
• Data subject rights (support for access requests, deletion requests)
• Third-country transfers via SCC and BCR

You must have signed this DPA in order to use Zendesk in a GDPR-compliant manner.

D. Data Processing by Zendesk – Workflow

E. Data Collected when Using Zendesk

When integrating Zendesk, the website operator processes the following types of data:

• Name and email address of the visitor
• Phone number (if provided)
• Chat or support messages (freely written texts)
• IP address
• Device information (operating system, screen resolution, browser type)
• Browser information (user agent, browser version)
• Uploaded files/attachments (screenshots, PDFs, images, documents)
• Visited page (referrer)
• Timestamp and duration of the chat/ticket interaction
• Ticket status and assignment to support agent
• Automatic notes and tags by Zendesk AI

This data can be classified into the following standardized data type classes:

• Web server log data: IP address, date/time, browser/OS, referrer, technical metadata
• Click paths: Visited page before chat opening, clicked support links
• Device data: Device type, operating system, screen resolution, browser
• Browser information: Browser name, version, installed plug-ins
• Usage account data: Customer name, email address, phone number
• User content: Chat messages, support tickets, uploaded files
• User profiles: Ticket history, previous contacts, support category assignment
• Interaction data: Chat duration, message sequences, response times

F. Purposes of Use when Using Zendesk

In customer communication with Zendesk, data is processed for the following purposes:

Primary purposes:

• Provision of functionality: Provision of the chat widget and support form functionality
• Communication: Answering customer inquiries, processing support tickets, live chat conversations
• Ticketing: Management, categorization and prioritization of support requests
• Data subject rights: Retention of support records and documentation of communication
• Product improvement: Analysis of ticket patterns, support efficiency, error identification
• General product improvement: Improvement of chat user-friendliness, error analysis, performance optimization
• Security: Combating spam and abuse in the chat/ticket system

Secondary purposes (if activated):

• Analytics: Zendesk-internal analytics to improve the product (with anonymisation)
• AI/Machine learning: Automatic categorization, sentiment analysis (optional)
• Reporting: Creation of support reports for the website operator

G. Legal Bases for Zendesk

Step 1: Categorization of Zendesk Zendesk is a processor (Art. 28 GDPR). The website operator is the controller and bears responsibility for ensuring that:

• A legal basis for the processing exists
• Data subject rights are guaranteed
• A DPA with Zendesk exists

Step 2: Applicable legal bases

1. Legitimate interests (Art. 6(1)(f) GDPR) – primary:

   • The website operator has a legitimate interest in offering customer support
   • Customer communication improves the business relationship
   • Ticketing enables tracking and documentation of inquiries
   • The interests of the website operator outweigh the interests of the data subjects, since the processing is necessary and foreseeable
   • Balancing: The data subject expects that a support contact will be documented

2. Contract performance (Art. 6(1)(b) GDPR) – secondary:

   • If the data subject submits a support ticket, storage is necessary for the fulfilment of the support promise
   • Storage and processing are contractually required

3. Consent (Art. 6(1)(a) GDPR) – optional:

   • Not required, since legitimate interests are sufficient
   • Optional: If the website operator uses chat data for marketing (e.g. remarketing lists), consent is required

Special feature – § 25 TDDDG: If the chat widget also sets cookies (e.g. for session tracking or visitor recognition), opt-in consent is required (§ 25(1) TDDDG). Pure support functionality without tracking cookies does not require additional consent.

H. Special Features and Notes regarding Zendesk

1. Processor with own controller status Zendesk is a processor for the website operator, but also a controller for its own processing (e.g. product improvement, security research). This means:

• You are the controller for the support data you collect
• Zendesk is the processor for the technical storage
• Zendesk is also the controller for internal analytics and security analyses

2. DPA is mandatorily required You must have a Data Processing Agreement (DPA) with Zendesk. This is available at https://www.zendesk.com/company/data-processing-agreement/ and regulates:

• Data processing under Art. 28 GDPR
• Subprocessor approval
• Security standards (BSI C5, ISO 27001)
• Support for data subject rights

Without a DPA, you violate Art. 28 GDPR.

3. Subprocessors and third-country transfers Zendesk uses subprocessors for hosting (AWS), analytics and security. Many of these subprocessors are based in the USA. Applicable transfer mechanisms:

• Data Privacy Framework (DPF): Zendesk uses DPF for US subprocessors (check https://www.dataprivacyframework.gov/s/participant-search)
• Standard Contractual Clauses (SCC): For other US transfers
• Binding Corporate Rules (BCR): Zendesk operates its own BCR for intra-group transfers

You should disclose in your privacy policy: »Support data is partly transferred to AWS in the USA. Zendesk uses Data Privacy Framework and Standard Contractual Clauses.«

4. Data subject rights and Zendesk Data subjects can request access to, rectification of or erasure of their support ticket (Art. 15–17 GDPR). You must:

• Have a procedure for receiving deletion requests (e.g. by email)
• Forward these requests to Zendesk
• Zendesk supports you with implementation (regulated by DPA)

5. Storage duration and compliance You can retain support data for any length of time. Zendesk itself deletes data within 30 days of your deletion. Recommendation: Document your retention policies (e.g. »Support tickets 2 years«).

I. FAQ on Zendesk

J. Conclusion and Recommendation regarding Zendesk

Zendesk is a proven support tool, but it is complex from a data protection perspective: processor structure, third-country transfers to the USA, subprocessors, and various legal bases.

Tool-specific text templates (»Zendesk processes support requests«) are too short and do not meet the GDPR requirements.

Recommendation: Use a topic-oriented structure:

• Section »Customer communication and support« with description of all support channels (chat, email, phone)
• Section »Data subject rights« with info on access and deletion requests
• Section »Third-country transfers« with reference to DPF/SCC
• Appendix with subprocessor list (available from Zendesk)

Make sure that:

• The DPA with Zendesk is signed
• You have the current subprocessor list
• An internal process for data subject rights requests exists